Salesforce Updated Identity-and-Access-Management-Architect Exam Questions and Answers by sienna-rose

Contactless users in Experience Cloud are tied to a narrower external identity model than full community users associated with contacts. That is the important architectural tradeoff. The feature can reduce overhead for certain external identity scenarios, but it also limits what license model and functionality are available. In practice, architects need to recognize that contactless users are associated with External Identity use cases rather than the richer Experience Cloud collaboration capabilities that depend on account-contact relationships. That is why the decision affects portal design, entitlement options, and downstream business processes. The right answer focuses on the license and capability limitation, not on speculative behavior about passwordless login or automatic contact creation during a later license change. This is why option C is the best answer in Salesforce terms.

To populate custom fields on the User record during SSO, Salesforce expects the architect to use the SAML Just-in-Time handler pattern. That means implementing the appropriate JIT interface and supplying create and update methods that map incoming assertion data into Salesforce user attributes. Session management classes and generic registration-handler interfaces solve different problems. The JIT handler exists specifically so that user creation and user updates can occur at login time based on federation data. This is useful when the identity provider is the source of truth for workforce attributes and those values must be refreshed without manual administration. In short, the interface gives Salesforce the entry point, and the create/update methods carry out the field population logic. This is why options A, C work together as the correct solution.

When Salesforce receives a SAML assertion and needs to translate external directory group membership into Salesforce entitlements at login, Apex Just-in-Time provisioning is the right hook. A JIT handler can read custom SAML attributes, interpret the incoming group values, and then create or update the user record and assign the appropriate permission sets. Login flows run after authentication and are not the normal mechanism for parsing assertion content into provisioning logic. Standard SAML attributes also don’t carry every organization-specific group mapping, which is why custom attributes are typically used for permission translation. The design goal is to make access decisions based on identity-provider claims at sign-in, and the JIT Apex handler is where Salesforce expects that provisioning and entitlement logic to be implemented. This is why option A is the best answer in Salesforce terms.

When partners need a single login and some do business across multiple country operations, the lowest-customization answer is often to federate access across org boundaries with SAML rather than replicate identities manually in each org. A partner can maintain a primary login context and use federation to reach the additional orgs or communities they need. Consolidating everything into one org may not be feasible if country-based orgs already exist for operational reasons, while APIs and login flows create more custom work. The architectural point is that identity should be centralized even if application data remains distributed. SAML federation is built precisely for that: one user identity can be trusted across multiple Salesforce-based service providers without forcing separate sign-in credentials per country. This is why option A is the best answer in Salesforce terms.